Module 1 - Introduction to Incident Handling and Response

External Assessment

Assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world

Formula for an Attack?

Attacks = Motive (Goal) + Method + Vulnerability

Mission Impact Analysis

Based on a qualitative or quantitative assessment of the sensitivity and criticality of the assets, prioritizes the impact levels associated with the compromise of those assets.

Defense-in-depth?

A security strategy in which security professionals use several protection layers throughout an information system.

Risk Management

A set of policies or procedures to identify, assess, prioritize, minimize and control risks.

Risk Mitigation

A strategic approach to preparing to handle risks and reduce their impact on the organization.

Internal Assessment

A technique to scan the internal infrastructure to uncover exploits and vulnerabilities.

Passive assessment

A technique used to sniff the network traffic to uncover active systems, network services, applications, and vulnerabilities

Non-repudiation

A way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.

How do you define a "Threat"?

An undesired event that attempts to access, exfiltrate, manipulate, or damage the integrity, confidentiality, security, and availability of an organization's resources.

Economic Warfare

By blocking the flow of information, can affect the economy of a business or nation.

Threat intelligence

Collection and analysis of information about threats and adversaries. Includes drawing of patterns that inform knowledgeable decisions related to cyber attack preparedness, prevention, and response. Also known as "cyber threat intelligence (CTI)".

What are the 5 Elements of Information Security?

Confidentiality, Integrity, Availability, Authenticity, Non-Repudiation

Email Security Policy

Created to govern the proper usage of corporate email.

Nation state attribution

Deals with attributing attacks sponsored by one nation against another nation.

Group attribution

Deals with attributing based on the common group or association of multiple malicious actors and their attack methodologies.

Campaign attribution

Deals with attributing based on the malware or the campaign strategy of specific malware.

Intrusion-set Attribution

Deals with attributing the attacker based on the intrusion patterns.

True Attribution

Deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target.

Firewall Management Policy

Defines access, management, and monitoring of firewalls in organization.

Acceptable Use Policy

Defines the acceptable use of system resources.

User-Account Policy

Defines the account creation process and the authority, rights and responsibilities of user accounts.

Access Control Policy

Defines the resources being protected and the rules that control access to them.

Information Protection Policy

Defines the sensitivity levels of information, who may have access, how information is stored and transmitted, and how information should be deleted from storage media.

Special Access Policy

Defines the terms and conditions of granting special access to system resources.

Remote-Access Policy

Defines who can have remote access, defines access medium, and defines remote access security controls.

Network Connection Policy

Defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.

Risk

Degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or resources under specified conditions.

Network Assessments

Determines the possible network security attacks that may be waged on the organization's system

Host-Based Assessment

Determines the vulnerabilities in a specific workstation or server by performing a configuration-level check through the command line.

Wireless Network Assessments

Determines the vulnerabilities in the organization's wireless networks

Tangible Cost

Direct expenditures related to an incident. Can be quantified and identified (i.e., lost productive hours, loss of business, loss or theft of resources).

Vulnerability assessment

Examination of the ability of a system or application, including current security procedures and controls, to withstand assault. Recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels.

Intangible Cost

Expenditures that the org cannot calculate directly or value accurately (i.e., damage to corporate reputation, loss of goodwill, psychological damage, damage to shareholder's value).

Authenticity

Genuineness or uncorruptedness of any communication, document or data.

Threat Correlation

Helps organization to monitor, detect and escalate various evolving threats from organizational networks. Main objective is to reduce false positive alert rates and detect and escalate stealthy, complex attacks.

What are the most common threat sources?

Human, natural, environmental

Common sources of Precusors and Indicators:

IDPS, SIEM, Antivirus/Antispam Software, File Integrity Checking Software, Third-Party Monitoring Services, OS/Service/Network/Application Logs.

Risk Assessment

Identification of risks, estimation of their impact, and determination of sources to recommend proper mitigation measures. Identification of risk is the initial step of the risk management plan.

Asset criticality assessment

Identifies and prioritize the sensitive and critical information assets that support the critical missions of the organization.

Network devices susceptible to vulnerabilities:

・Access points ・Routers ・Wireless routers ・Switches ・Firewall

Top infosec Attack Vectors?

・Cloud Computing Threats ・Advanced Persistent Threats (APT) ・Viruses and Worms ・Ransomware ・Mobile Threats ・Botnet ・Insider Attack ・Phishing ・Web Application Threats ・Internet of Things (IoT) Threats

Typical motives behind infosec attacks?

・Disruption business continuity ・Performing information theft ・Manipulating data ・Creating fear and chaos by disrupting critical infrastructure ・Bringing financial loss to the target ・Propagating religious or political beliefs ・Achieving the state's military objectives ・Damaging the reputation of the target ・Taking revenge ・Demanding ransom ・Fun/thrills/exploration

What are some of the impacts of an Information Security Attack?

・Financial Losses ・Loss of Confidentiality and Integrity ・Damaged Customer Relationship ・Loss of Business Reputation ・Legal and Compliance Issues ・Operational Iimpacts

Typical Application threats?

・Improper data/input validation ・Authentication and authorization attacks ・Security misconfiguration ・Improper error handling and exception management ・Information disclosure ・Hidden-field manipulation ・Broken session management ・Buffer overflow issues ・Cryptography attacks ・SQL injection ・Phishing

Typical network threats?

・Information gathering ・Sniffing and eavesdropping ・Spoofing ・Session hijacking ・Man-in-the-middle attack ・DNS and ARP poisoning ・Password-based attacks ・Denial-of-service attack ・Compromised-key attack ・Firewall and IDS attacks

Types of information security incidents:

・Malicious Code or Insider Threat Attacks ・Unauthorized Access ・Unauthorized Usage of Services ・Email-based Abuse ・Espionage ・Fraud and Theft ・Employee Sabotage and Abuse ・Network and Resources Abuses ・Resource Misconfiguration Abuses

Typical Host threats?

・Malware attacks ・Footprinting ・Profiling ・Password attacks ・Denial-of-service attacks ・Arbitrary code execution ・Unauthorized access ・Privilege escalation ・Backdoor attacks ・Physical security threats

Vulnerability Classifications:

・Misconfigurations ・Default Installations ・Buffer Overflows ・Unpatched Servers ・Design Flaws ・Operating System Flaws ・Application Flaws ・Open Services ・Default Passwords

Common areas of vulnerability in applications:

・Networking software ・Network operations and management ・Firewall and network security applications ・Database software

What information does a vulnerability scanner identify?

・OS version running on computers or devices ・IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening ・Applications installed on computers ・Accounts with weak passwords ・Files and folders with weak permissions ・Default services and applications that might have to be uninstalled ・Mistakes in the security configuration of common applications ・Computers exposed to known or publicly reported vulnerabilities

Commonly Targeted Assets

・Personal Details ・Financial Information ・Intellectual Property ・Sensitive Business Data ・Login Details and IT System Information

Characteristics of an information asset?

・Recognized to be of value ・Considered an asset to the org ・Difficult to replace with cost, skills, time and resources ・Part of the org's corporate identity ・Data classified as an information asset are confidential and proprietary ・Plays a significant role in the org's business ・Organized documentation that motivates the org to achieve its goals ・Maintained by people working in a consistent and cooperative manner. ・Can be part of a unique enterprise application or part of one. The loss of information affects the org's investments in different business activities.

What are the goals of security policies?

・Reduce or eliminate legal liability of employees and third parties. ・Protect confidential and proprietary information from them, misuse, unauthorized disclosure, or modification. ・They prevent wastage of the company's computing resources.

Commonly used correlation techniques:

・Relating multiple incident types and sources across multiple nodes ・Incident sequence ・Incident persistence ・Incident-directed data collection

What are the types of threat actors?

・Script kiddies ・Organized hackers ・Hacktivists ・State-sponsored Attackers ・Insider Threat ・Cyber Terrorists ・Recreational Hackers ・Suicide Hackers ・Industrial Spies

What's the difference between technical and administrative security policies?

・Technical security policies describe the configuration of the technology for convenient use. ・Administrative security policies address how all persons should behave.

Common areas of Vulnerability:

・Users ・Operating System ・Applications ・Network Devices ・Network Infrastructure ・Internet of Things (IoT) ・Configuration Files

What processes are included under Incident Management?

・Vulnerability analysis ・Artifact analysis ・Security awareness training ・Intrusion Detection ・Technology Monitoring

Offensive Information Warfare

Involves attacks against ICT assets of an opponent to compromise the target's assets.

Impact analysis

Involves estimating the adverse impact of exploitation of a vulnerability by a threat source.

Incident Management

It is a set of defined processes used to identify, analyze, prioritize, and resolve security incidents and restore a system to normal service and operations as soon as possible while preventing further recurrence of the incident. It improves service quality, resolves problems proactively, reduces impacts of incidents, meets service availability requirements, increases staff efficiency and productivity, improves user/customer satisfaction and assists in handling future incidents.

What are the three main categories of information security threats?

Network threats, Host threats and Application Threats

What is a Promiscuous Policy?

No restrictions on usage of system resources.

Threat Targets and Assets

Organizational resources attacked by threat actors in order to gain control or steal information and launch further attacks on the organization.

What is a Permissive Policy?

Policy begins wide open and only know dangerous services, attacks or behaviors are blocked. Regularly updated to ensure effectiveness.

Paranoid Policy

Policy forbids everything, no internet connection/severely limited internet usage

What is a Prudent Policy?

Policy provides maximum security while allowing known but necessary dangers. Blocks all services and only safe/necessary services are enabled individually; everything is logged.

Two categories of incident signs:

Precusor - indicates the possibility of the occurrence of a security incident in the future (i.e., threats from hackers, new exploit, etc.) Indicators - sign representing that the incident has probably occurred or is currently in progress (i.e., warning from AV or scanner, Firewall/IDS/IPS alerts, web server unavailability).

Vulnerability Management

Proactive approach designed to identify, classify, and mitigate vulnerabilities.

Threat Contextualization

Process of assessing threats and their impacts under various (contextual) conditions. Threat context is obtained by detecting and analyzing current vulnerabilities in the IT resources, such as networks and information systems.

Threat assessment

Process of examining, filtering, transforming, and modeling of acquired threat data to extract threat intelligence.

Threat Attribution

Process of identifying and attributing the actors behind an attack as well as their goals, motives and sponsors.

Passwords Policy

Provides guidance for using strong password protection on organization's resources.

Likelihood Analysis

The calculation of probability that a threat source exploits an existing system vulnerability

What is a vulnerability?

The existence of a weakness or a design or implementation error that, when exploited, leads to an unexpected an undesirable event that compromises the security of the system.

Risk Determination

The probability of occurrence of an anticipated incident.

Control analysis

The process of analyzing various security controls implemented by the organization to eradicate or minimize the probability that a threat will exploit a system vulnerability.

Cost of an incident?

The sum of the total amount lost directly and indirectly due to the attack and the amount spent on recovering from the incident, including IH&R functions. Orgs typically employ financial auditors to estimate the total cost.

InfoWar

The use of information and communication technologies (ICT) for competitive advantages over an opponent.

Cyber Warfare

The use of information systems against the virtual personas of individuals or groups.

Integrity

Trustworthiness of data or resources in the prevention of improper and unauthorized changes.

Psychological Warfare

Use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in battle.

Active assessment

Uses a network scanner to find hosts, services, and vulnerabilities

Electronic Warfare

Uses radio-electronic and cryptographic techniques to degrade communication.

Hacker warfare

Various purposes including theft of information, false messaging and other infosec attacks.

Steps in the Vulnerability Management Life Cycle

1) Baseline Creation 2) Vulnerability Assessment 3) Risk Assessment 4) Remediation 5) Verification 6) Monitoring

IH&R Steps

1) Preparation 2)Incident Recording and Assignment 3) Incident Triage 4) Notification 5) Containment 6) Evidence Gathering and Forensic Analysis 7) Eradication 8) Recovery 9) Post-Incident Activities

What are the steps in Risk Assessment?

1) System Characterization 2) Threat Identification 3) Vulnerability Identification 4) Control Analysis 5) Likelihood Analysis 6) Impact Analysis 7) Risk Determination 8) Control Recommendation 9) Risks Assessment Report

Availability

The assurance that the systems responsible for delivering, storing, and processing information area accessible when required by authorized users.

Intelligence-based Warfare

Sensor-based technology that directly corrupts technological systems.

How do Security Experts and vulnerability scanners classic vulnerabilities?

Severity Level: low, medium or high Exploit Range: Local or remote

Motive?

A motive originates from the notion that the target system stores or processes something valuable; this signals that the system may be under threat of an attack.

What is a "threat actor"?

A person or entity responsible for the harmful incidents or with the potential to impact the security of an organization's network.

Incident Handling and Response (IH&R)

A process of taking organized and careful steps when reacting to a security incident or cyberattack.

Defensive Information Warfare

Refers to all the strategies and actions for security professionals and incident responders to defend their organization its ICT assets from cyber attackers.

Command-and-control Warfare (C2 Warfare)

Refers to the impact an attacker possesses over a compromised system or network that they control.

Information security

Refers to the protection or safeguarding of information and information systems (i.e., systems that use, store and transmit information) from unauthorized accesses, disclosures, alterations, and destruction.

Application Assessments

Tests the web infrastructure for any misconfigurations and known vulnerabilities

Confidentiality

The assurance that information is accessible only to those who are authorized to have access.